ASA Regular Expressions Files
August 6th, 2008 • Related • Filed Under
Ok so a great many of you have sent me questions regarding Regular Expressions and there use in/on the ASA so I thought I would pass along some files that have been pre-built for you so that you don’t have to re-create the wheel when wanting to use Reg Ex’s. I have listed each of the text files below. Feel free to edit them as you choose to meet your needs and if you have already created a list, email me so that the rest of the readers can benefit from it.
Archive File Type
Audio File Type
Blocked By Outlook File Type
Executable File Type
Image File Type
Office File Type
Video File Type
Glad I just found your wordpress blog through Google.
Found just what I was looking for, thanks =)
Btw, wat plugins ...
This is a very good post. Thanks 
Addition: I made a research on that topic and the workaround is to decrease the TKIP rekeying timer to 120 ...
Very useful tips in this post. Thanks. I think I will implemented on my Firefox browser :) 
Hi Joe,
Regarding ASA redundancy & failover i understand that there are two levels:
1.Unit Level
2.Monitored interface level.
regarding monitored interface level, assuming ...
Thank you Rookie4life, I apologize for not posting that frequently lately but I've been busy with both personal and professional ...
Thanks for the video! Audio sounds fine to me. 
Comment by Wayne Fleenor on 20 August 2008:
This is a GREAT list of RegEx for the ASA, thank you.
With a PCI audit around the corner I have the following question: do you have a Regex list for SSN and Credit Card Numbers?
I have found some expression that include the correct ranges for SSN and major vendors (AMEX, V\MC). But the format must be differnet for the ASA and Cisco IPS because they don’t seem to work, thanks again
Comment by Faisal Saifie on 23 September 2008:
Sir,
thank you for this wonderful post. But let us say if i want to block a URL that contains an IP address and a Path then how i will make the regex expression. For example, using regex how to block
http://1.2.3.4/newsbrowser
I dont want to block this ip address completely, just i want to block this URL…
Please help me. i tried to find any example of using ip address in regex but did not succeed.
Comment by Joe Harris on 26 September 2008:
Hi Faisal,
Sure you can use a few of the following I put together this morning as a starting point. For Instance, lets use the same URL you provided as an example. Based on that here a few simple regex’s I created:
regex bad_url1 “[Hh][Tt][Tt][Pp][:]\//1\.2\.3\.4\/newsbrowser”
regex bad_url2 “1\.2\.3\.4\/newsbrowser”
regex bad_url3 “[Hh][Tt][Tt][Pp][:]\//1\.2\.3\.4\/[Nn][Ee][Ww][Ss][Bb][Rr][Oo][Ww][Ss][Ee][Rr]”
These are just a few you can get as creative as you like. Now let’s test these regex’s on the CLI….
CCIE6200-ASA# test regex http://1.2.3.4/newsbrowser [Hh][Tt][Tt][Pp][:]\//1\.2\.3\.4\/newsbrowser
INFO: Regular expression match succeeded.
CCIE6200-ASA# test regex 1.2.3.4/newsbrowser 1\.2\.3\.4\/newsbrowser
INFO: Regular expression match succeeded.
CCIE6200-ASA# test regex HttP://1.2.3.4/NewSBroWser [Hh][Tt][Tt][Pp][:]\//1\.2\.3\.4\/[Nn][Ee][Ww][Ss][Bb][Rr][Oo][Ww][Ss][Ee][Rr]
INFO: Regular expression match succeeded.
Hope this helps… -Joe
Comment by Faisal Saifie on 28 September 2008:
Thank you so much sir,
This lead me to another question if you dont mind…?
1-Can we use REgEx in an acl to control inbound access to web servers residing in DMZ or internal network…? Let us say i want to restrict incoming web request to just one particular URL…Any other URL entered will be denied…
For example, if somebody is publishing Microsoft Exchange Outlook Web Access through ASA… As we know the URL for Outlook Web Access for https://1.2.3.4/owa , however the root directory as well as if there are any other subdirectories along with owa created by some third part application, they can also be accesseb because ASA is passing all https traffic to OWA server regardless of the URL…
for example, someone can just type https://1.2.3.4 can get to the web root directory. So can RegEx expressions be used in ACL to restrict incming https request by URL to internal web servers…?
thanks once again…
Comment by Joe Harris on 4 October 2008:
You cannot use a regex inside an ACL to accomplish this, this is accomplished using the Modular Policy Framework on the ASA. Here’s a very simple example:
regex http://www.xxx.com “[Ww][Ww][Ww]\.[Xx][Xx][Xx]\.[Cc][Oo][Mm]”
class-map outside-class
match port tcp eq www
policy-map type inspect http http_policy1
match request uri regex http://www.xxx.com
drop-connection log
policy-map outside-policy
class outside-class
inspect http http_policy1
service-policy outside-policy interface outside